Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add simple SA module for managing SA and project IAM #118

Merged
merged 11 commits into from
May 16, 2024
Merged
Show file tree
Hide file tree
Changes from 10 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ crash.log
**/*.tfvars

credentials.json
**/go.sum
**/*.gpg
**/get-key
**/*.zip
Expand Down
20 changes: 20 additions & 0 deletions build/int.cloudbuild.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,11 @@ steps:
- id: create
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do create']
- id: create-all
waitFor:
- prepare
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run all --stage init --verbose']
- id: converge
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do converge']
Expand All @@ -36,6 +41,21 @@ steps:
- id: destroy
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'source /usr/local/bin/task_helper_functions.sh && kitchen_do destroy']
- id: apply simple-sa
waitFor:
- create-all
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestSimpleSA --stage apply --verbose']
- id: verify simple-sa
waitFor:
- apply simple-sa
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestSimpleSA --stage verify --verbose']
- id: teardown simple-sa
waitFor:
- verify simple-sa
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestSimpleSA --stage teardown --verbose']
tags:
- 'ci'
- 'integration'
Expand Down
24 changes: 24 additions & 0 deletions examples/simple_sa/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Simple Example

This example shows how to use the `simple-sa` submodule.

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| project\_id | The ID of the project in which to provision resources. | `string` | n/a | yes |

## Outputs

| Name | Description |
|------|-------------|
| email | Service account email |

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

To provision this example, run the following from within this directory:
- `terraform init` to get the plugins
- `terraform plan` to see the infrastructure plan
- `terraform apply` to apply the infrastructure build
- `terraform destroy` to destroy the built infrastructure
27 changes: 27 additions & 0 deletions examples/simple_sa/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

module "sa" {
source = "terraform-google-modules/service-accounts/google//modules/simple-sa"
version = "~> 4.0"

project_id = var.project_id
name = "simple-account"
project_roles = [
"roles/compute.imageUser",
"roles/compute.networkUser"
]
}
20 changes: 20 additions & 0 deletions examples/simple_sa/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

output "email" {
description = "Service account email"
value = module.sa.email
}
20 changes: 20 additions & 0 deletions examples/simple_sa/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

variable "project_id" {
description = "The ID of the project in which to provision resources."
type = string
}
41 changes: 41 additions & 0 deletions modules/simple-sa/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# Terraform Simple Service Account module

This submodule creates a service account and optionally grants specified roles on the project.

## Usage

Basic usage of this submodule is as follows:

```hcl
module "sa" {
source = "terraform-google-modules/service-accounts/google//modules/simple-sa"
version = "~> 4.0"

project_id = "<PROJECT ID>"
name = "sa-name"
project_roles = [
"roles/compute.imageUser",
"roles/compute.networkUser"
]
}
```

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| description | Default description of the created service accounts (defaults to no description) | `string` | `""` | no |
| display\_name | Display name of the created service accounts (defaults to 'Terraform-managed service account') | `string` | `"Terraform-managed service account"` | no |
| name | Name of service account | `string` | n/a | yes |
| project\_id | Project id where service account will be created | `string` | n/a | yes |
| project\_roles | Roles to grant the SA in specified project | `list(string)` | n/a | yes |

## Outputs

| Name | Description |
|------|-------------|
| email | Service account email |
| id | Service account id and email |

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
29 changes: 29 additions & 0 deletions modules/simple-sa/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

resource "google_service_account" "sa" {
project = var.project_id
account_id = var.name
display_name = var.display_name
description = var.description
}

resource "google_project_iam_member" "roles" {
for_each = toset(var.project_roles)
project = var.project_id
role = each.value
member = google_service_account.sa.member
}
84 changes: 84 additions & 0 deletions modules/simple-sa/metadata.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: blueprints.cloud.google.com/v1alpha1
kind: BlueprintMetadata
metadata:
name: terraform-google-service-accounts
annotations:
config.kubernetes.io/local-config: "true"
spec:
info:
title: Terraform Simple Service Account module
source:
repo: https://github.com/terraform-google-modules/terraform-google-service-accounts.git
sourceType: git
dir: /modules/simple-sa
version: 4.2.3
actuationTool:
flavor: Terraform
version: ">= 0.13.0"
description: {}
content:
examples:
- name: key_distributor
location: examples/key_distributor
- name: multiple_service_accounts
location: examples/multiple_service_accounts
- name: simple_sa
location: examples/simple_sa
- name: single_service_account
location: examples/single_service_account
interfaces:
variables:
- name: description
description: Default description of the created service accounts (defaults to no description)
varType: string
defaultValue: ""
- name: display_name
description: Display name of the created service accounts (defaults to 'Terraform-managed service account')
varType: string
defaultValue: Terraform-managed service account
- name: name
description: Name of service account
varType: string
required: true
- name: project_id
description: Project id where service account will be created
varType: string
required: true
- name: project_roles
description: Roles to grant the SA in specified project
varType: list(string)
required: true
outputs:
bharathkkb marked this conversation as resolved.
Show resolved Hide resolved
- name: email
description: Service account email
requirements:
roles:
- level: Project
roles:
- roles/resourcemanager.projectIamAdmin
- roles/iam.serviceAccountAdmin
- roles/iam.serviceAccountUser
- roles/iam.serviceAccountKeyAdmin
- roles/storage.admin
- roles/cloudfunctions.admin
- roles/serviceusage.serviceUsageAdmin
services:
- cloudresourcemanager.googleapis.com
- iam.googleapis.com
- serviceusage.googleapis.com
- cloudfunctions.googleapis.com
- cloudbuild.googleapis.com
28 changes: 28 additions & 0 deletions modules/simple-sa/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

output "email" {
description = "Service account email"
value = google_service_account.sa.email
}

output "id" {
description = "Service account id and email"
value = {
id = google_service_account.sa.account_id,
email = google_service_account.sa.email
}
}
42 changes: 42 additions & 0 deletions modules/simple-sa/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

variable "project_id" {
type = string
description = "Project id where service account will be created"
}

variable "name" {
type = string
description = "Name of service account"
}

variable "display_name" {
type = string
description = "Display name of the created service accounts (defaults to 'Terraform-managed service account')"
default = "Terraform-managed service account"
}

variable "description" {
type = string
description = "Default description of the created service accounts (defaults to no description)"
default = ""
}

variable "project_roles" {
type = list(string)
description = "Roles to grant the SA in specified project"
}
30 changes: 30 additions & 0 deletions modules/simple-sa/versions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
/**
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

terraform {
required_version = ">= 0.13.0"

required_providers {
google = {
source = "hashicorp/google"
version = ">= 3.53, < 6"
}
}

provider_meta "google" {
module_name = "blueprints/terraform/terraform-google-service-accounts:simple-sa/v4.2.3"
}
}
Loading